Hi Andres,
If your goal is to change how the Username property is set, you can do this in the DSM Editor, but override the "Username" property, not one of the Identity fields. To ensure the override only applies to that one Event ID, incorporate the "TIMaiData" string into your regex. If it occurs before the source email field, include:
TIMaiData.*?
before the regex you're using to capture the email address. If it occurs after the email address field, include this after the regex you;re using:
.*?TImaiData
This will ensure the override regex only applies when that Event ID is present; other events will use the original Username value parsed by the default DSM behaviour.
Cheers
Colin
------------------------------
COLIN HAY
IBM Security
------------------------------
Original Message:
Sent: Thu October 08, 2020 07:39 PM
From: Andres Arguelles
Subject: Office365 - Override username parsing for specific QID
Hello guys
Recently, I started to check O365 ThreatIntel logs associated to the eventID TIMaiData. Analyzing these particular events I have found that all events relate to the ThreatIntel user from O365 module. I want to override the username parsed for these particular events to get the source e-mail address but the only way I have found is trying to override an identity field before.
What do you suggest to achive this? I want to avoid the creation of a new custom property and recreate rules for that
Regards,
------------------------------
Andres Arguelles
------------------------------